From 191609f2cfcbfbd783d7e2753a6b1d5af25c4fe6 Mon Sep 17 00:00:00 2001 From: "Bernhart, Bryan" Date: Mon, 22 Jan 2024 17:44:52 -0800 Subject: [PATCH] Set token permissions in workflows. --- .github/workflows/linux_auto_assign_author.yaml | 3 ++- .github/workflows/linux_clang_format_check.yaml | 1 + .github/workflows/linux_publish_api_docs.yaml | 1 + .github/workflows/win_auto_roll.yaml | 1 + .github/workflows/win_x64_cmake_msvc_dbg.yaml | 1 + .github/workflows/win_x64_cmake_msvc_rel.yaml | 1 + .github/workflows/win_x64_gn_clang_dbg.yaml | 1 + .github/workflows/win_x64_gn_clang_dbg_dawn.yaml | 1 + .github/workflows/win_x64_gn_clang_rel.yaml | 1 + .github/workflows/win_x64_gn_clang_rel_dawn.yaml | 1 + .github/workflows/win_x64_gn_msvc_dbg.yaml | 1 + .github/workflows/win_x64_gn_msvc_rel.yaml | 1 + .github/workflows/win_x86_gn_clang_dbg.yaml | 1 + .github/workflows/win_x86_gn_clang_rel.yaml | 1 + 14 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linux_auto_assign_author.yaml b/.github/workflows/linux_auto_assign_author.yaml index 7f5765c92..3e380b32b 100644 --- a/.github/workflows/linux_auto_assign_author.yaml +++ b/.github/workflows/linux_auto_assign_author.yaml @@ -1,5 +1,6 @@ # Automatically assigns the author who created the PR to the Assignees in GitHub. name: PR Author Assign +permissions: read-all on: pull_request_target: @@ -14,4 +15,4 @@ jobs: steps: - uses: toshimaru/auto-author-assign@v1.6.2 with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/linux_clang_format_check.yaml b/.github/workflows/linux_clang_format_check.yaml index 0e942a1d1..b55e37da2 100644 --- a/.github/workflows/linux_clang_format_check.yaml +++ b/.github/workflows/linux_clang_format_check.yaml @@ -1,4 +1,5 @@ name: "Clang format check" +permissions: read-all on: push: diff --git a/.github/workflows/linux_publish_api_docs.yaml b/.github/workflows/linux_publish_api_docs.yaml index 18465d61b..4226ae744 100644 --- a/.github/workflows/linux_publish_api_docs.yaml +++ b/.github/workflows/linux_publish_api_docs.yaml @@ -1,4 +1,5 @@ name: "Build and Publish API Documentation" +permissions: read-all on: push: diff --git a/.github/workflows/win_auto_roll.yaml b/.github/workflows/win_auto_roll.yaml index f6cedd3b1..32c9d34b6 100644 --- a/.github/workflows/win_auto_roll.yaml +++ b/.github/workflows/win_auto_roll.yaml @@ -4,6 +4,7 @@ # once the integration tests become green. # Any new dependencies in .\DEPS should also be added here. name: 'Auto Roll DEPS' +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/win_x64_cmake_msvc_dbg.yaml b/.github/workflows/win_x64_cmake_msvc_dbg.yaml index 78bdbdf2f..5f5cca1c4 100644 --- a/.github/workflows/win_x64_cmake_msvc_dbg.yaml +++ b/.github/workflows/win_x64_cmake_msvc_dbg.yaml @@ -1,4 +1,5 @@ name: Windows x64 CMake/MSVC (Debug) +permissions: read-all on: # This is a required workflow specified in branch enforcement diff --git a/.github/workflows/win_x64_cmake_msvc_rel.yaml b/.github/workflows/win_x64_cmake_msvc_rel.yaml index dcae1d3fe..de284b960 100644 --- a/.github/workflows/win_x64_cmake_msvc_rel.yaml +++ b/.github/workflows/win_x64_cmake_msvc_rel.yaml @@ -1,4 +1,5 @@ name: Windows x64 CMake/MSVC (Release) +permissions: read-all on: # This is a required workflow specified in branch enforcement diff --git a/.github/workflows/win_x64_gn_clang_dbg.yaml b/.github/workflows/win_x64_gn_clang_dbg.yaml index 89c1ce501..117585c0f 100644 --- a/.github/workflows/win_x64_gn_clang_dbg.yaml +++ b/.github/workflows/win_x64_gn_clang_dbg.yaml @@ -1,4 +1,5 @@ name: Windows x64 GN/Clang (Debug) +permissions: read-all on: # This is a required workflow specified in branch enforcement diff --git a/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml b/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml index af443e461..ba99e03e6 100644 --- a/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml +++ b/.github/workflows/win_x64_gn_clang_dbg_dawn.yaml @@ -1,4 +1,5 @@ name: Windows x64 GN/Clang WebGPU/Dawn (Debug) +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/win_x64_gn_clang_rel.yaml b/.github/workflows/win_x64_gn_clang_rel.yaml index 127dbc50e..aae65a165 100644 --- a/.github/workflows/win_x64_gn_clang_rel.yaml +++ b/.github/workflows/win_x64_gn_clang_rel.yaml @@ -1,4 +1,5 @@ name: Windows x64 GN/Clang (Release) +permissions: read-all on: # This is a required workflow specified in branch enforcement diff --git a/.github/workflows/win_x64_gn_clang_rel_dawn.yaml b/.github/workflows/win_x64_gn_clang_rel_dawn.yaml index ea539615b..68b2ba0b7 100644 --- a/.github/workflows/win_x64_gn_clang_rel_dawn.yaml +++ b/.github/workflows/win_x64_gn_clang_rel_dawn.yaml @@ -1,4 +1,5 @@ name: Windows x64 GN/Clang WebGPU/Dawn (Release) +permissions: read-all on: push: diff --git a/.github/workflows/win_x64_gn_msvc_dbg.yaml b/.github/workflows/win_x64_gn_msvc_dbg.yaml index 874ac064a..fdc3e25b7 100644 --- a/.github/workflows/win_x64_gn_msvc_dbg.yaml +++ b/.github/workflows/win_x64_gn_msvc_dbg.yaml @@ -1,4 +1,5 @@ name: Windows x64 GN/MSVC (Debug) +permissions: read-all on: # This is a required workflow specified in branch enforcement diff --git a/.github/workflows/win_x64_gn_msvc_rel.yaml b/.github/workflows/win_x64_gn_msvc_rel.yaml index 496c4d0a0..56507d8b9 100644 --- a/.github/workflows/win_x64_gn_msvc_rel.yaml +++ b/.github/workflows/win_x64_gn_msvc_rel.yaml @@ -1,4 +1,5 @@ name: Windows x64 GN/MSVC (Release) +permissions: read-all on: # This is a required workflow specified in branch enforcement diff --git a/.github/workflows/win_x86_gn_clang_dbg.yaml b/.github/workflows/win_x86_gn_clang_dbg.yaml index 94e7f9983..a016c7f66 100644 --- a/.github/workflows/win_x86_gn_clang_dbg.yaml +++ b/.github/workflows/win_x86_gn_clang_dbg.yaml @@ -1,4 +1,5 @@ name: Windows x86 GN/Clang (Debug) +permissions: read-all on: # This is a required workflow specified in branch enforcement diff --git a/.github/workflows/win_x86_gn_clang_rel.yaml b/.github/workflows/win_x86_gn_clang_rel.yaml index dec8d76d8..a755dacee 100644 --- a/.github/workflows/win_x86_gn_clang_rel.yaml +++ b/.github/workflows/win_x86_gn_clang_rel.yaml @@ -1,4 +1,5 @@ name: Windows x86 GN/Clang (Release) +permissions: read-all on: # This is a required workflow specified in branch enforcement